diff --git a/SOURCES/samba-4-15-fix-autorid.patch b/SOURCES/samba-4-15-fix-autorid.patch new file mode 100644 index 0000000..f63464c --- /dev/null +++ b/SOURCES/samba-4-15-fix-autorid.patch @@ -0,0 +1,231 @@ +From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 1 Feb 2022 10:06:30 +0100 +Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range + +What we want to avoid: + +$ ./bin/testparm -s | grep "idmap config" + idmap config * : rangesize = 10000 + idmap config * : range = 10000-19999 + idmap config * : backend = autorid + +$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators +S-1-5-32-544 SID_ALIAS (4) + +$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 +10000 + +$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice +S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) + +$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 +failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND +Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid + +If only one range is configured we are either not able to map users/groups +from our primary *and* the BUILTIN domain. We need at least two ranges to also +cover the BUILTIN domain! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f) +--- + source3/winbindd/idmap_autorid.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c +index ad53b5810ee..c7d56a37684 100644 +--- a/source3/winbindd/idmap_autorid.c ++++ b/source3/winbindd/idmap_autorid.c +@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom) + config->maxranges = (dom->high_id - dom->low_id + 1) / + config->rangesize; + +- if (config->maxranges == 0) { +- DEBUG(1, ("Allowed uid range is smaller than rangesize. " +- "Increase uid range or decrease rangesize.\n")); ++ if (config->maxranges < 2) { ++ DBG_WARNING("Allowed idmap range is not a least double the " ++ "size of the rangesize. Please increase idmap " ++ "range.\n"); + status = NT_STATUS_INVALID_PARAMETER; + goto error; + } +-- +2.35.1 + + +From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 1 Feb 2022 10:07:50 +0100 +Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid + +What we want to avoid: + +$ ./bin/testparm -s | grep "idmap config" + idmap config * : rangesize = 10000 + idmap config * : range = 10000-19999 + idmap config * : backend = autorid + +$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators +S-1-5-32-544 SID_ALIAS (4) + +$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 +10000 + +$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice +S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) + +$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 +failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND +Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid + +If only one range is configured we are either not able to map users/groups +from our primary *and* the BUILTIN domain. We need at least two ranges to also +cover the BUILTIN domain! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4) +--- + source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 51 insertions(+) + +diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c +index 98bcc219b1e..58ba46bc15f 100644 +--- a/source3/utils/testparm.c ++++ b/source3/utils/testparm.c +@@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string, + return false; /* Keep scanning */ + } + ++static int idmap_config_int(const char *domname, const char *option, int def) ++{ ++ int len = snprintf(NULL, 0, "idmap config %s", domname); ++ ++ if (len == -1) { ++ return def; ++ } ++ { ++ char config_option[len+1]; ++ snprintf(config_option, sizeof(config_option), ++ "idmap config %s", domname); ++ return lp_parm_int(-1, config_option, option, def); ++ } ++} ++ + static bool do_idmap_check(void) + { + struct idmap_domains *d; +@@ -157,6 +172,42 @@ static bool do_idmap_check(void) + rc); + } + ++ /* Check autorid backend */ ++ if (strequal(lp_idmap_default_backend(), "autorid")) { ++ struct idmap_config *c = NULL; ++ bool found = false; ++ ++ for (i = 0; i < d->count; i++) { ++ c = &d->c[i]; ++ ++ if (strequal(c->backend, "autorid")) { ++ found = true; ++ break; ++ } ++ } ++ ++ if (found) { ++ uint32_t rangesize = ++ idmap_config_int("*", "rangesize", 100000); ++ uint32_t maxranges = ++ (c->high - c->low + 1) / rangesize; ++ ++ if (maxranges < 2) { ++ fprintf(stderr, ++ "ERROR: The idmap autorid range " ++ "[%u-%u] needs to be at least twice as " ++ "big as the rangesize [%u]!" ++ "\n\n", ++ c->low, ++ c->high, ++ rangesize); ++ ok = false; ++ goto done; ++ } ++ } ++ } ++ ++ /* Check for overlapping idmap ranges */ + for (i = 0; i < d->count; i++) { + struct idmap_config *c = &d->c[i]; + uint32_t j; +-- +2.35.1 + + +From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 1 Feb 2022 10:05:19 +0100 +Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation + +What we want to avoid: + +$ ./bin/testparm -s | grep "idmap config" + idmap config * : rangesize = 10000 + idmap config * : range = 10000-19999 + idmap config * : backend = autorid + +$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators +S-1-5-32-544 SID_ALIAS (4) + +$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 +10000 + +$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice +S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) + +$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 +failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND +Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid + +If only one range is configured we are either not able to map users/groups +from our primary *and* the BUILTIN domain. We need at least two ranges to also +cover the BUILTIN domain! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de) +--- + docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml +index 6c4da1cad8a..980718f0bd4 100644 +--- a/docs-xml/manpages/idmap_autorid.8.xml ++++ b/docs-xml/manpages/idmap_autorid.8.xml +@@ -48,7 +48,13 @@ + and the corresponding map is discarded. It is + intended as a way to avoid accidental UID/GID + overlaps between local and remotely defined +- IDs. ++ IDs. Note that the range should be a multiple ++ of the rangesize and needs to be at least twice ++ as large in order to have sufficient id range ++ space for the mandatory BUILTIN domain. ++ With a default rangesize of 100000 the range ++ needs to span at least 200000. ++ This would be: range = 100000 - 299999. + + + +-- +2.35.1 + diff --git a/SOURCES/samba-4-15-fix-create-local-krb5-conf.patch b/SOURCES/samba-4-15-fix-create-local-krb5-conf.patch new file mode 100644 index 0000000..2d7ad44 --- /dev/null +++ b/SOURCES/samba-4-15-fix-create-local-krb5-conf.patch @@ -0,0 +1,477 @@ +From 73368f962136398d79c22e7df6fe4f6d7ce3932f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 16:53:02 +0100 +Subject: [PATCH 1/9] testprogs: Add test that local krb5.conf has been created + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + testprogs/blackbox/test_net_ads.sh | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index 76b394b10a9..cfafb945b62 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -51,6 +51,12 @@ fi + + testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + ++workgroup=$(awk '/workgroup =/ { print $NR }' "${BASEDIR}/${WORKDIR}/client.conf") ++testit "local krb5.conf created" \ ++ test -r \ ++ "${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" || ++ failed=$((failed + 1)) ++ + testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + + netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') +-- +2.35.1 + + +From d50e4298d6d713128cc3a7687cb7d5c8f4c213e4 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 12:03:40 +0100 +Subject: [PATCH 2/9] s3:libads: Remove trailing spaces in kerberos.c + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 75beeef4a44..60fe03fd5d7 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -1,4 +1,4 @@ +-/* ++/* + Unix SMB/CIFS implementation. + kerberos utility library + Copyright (C) Andrew Tridgell 2001 +@@ -37,11 +37,11 @@ + #define LIBADS_CCACHE_NAME "MEMORY:libads" + + /* +- we use a prompter to avoid a crash bug in the kerberos libs when ++ we use a prompter to avoid a crash bug in the kerberos libs when + dealing with empty passwords + this prompter is just a string copy ... + */ +-static krb5_error_code ++static krb5_error_code + kerb_prompter(krb5_context ctx, void *data, + const char *name, + const char *banner, +@@ -192,7 +192,7 @@ int kerberos_kinit_password_ext(const char *given_principal, + krb5_get_init_creds_opt_set_address_list(opt, addr->addrs); + } + +- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password), ++ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password), + kerb_prompter, discard_const_p(char, password), + 0, NULL, opt))) { + goto out; +@@ -299,7 +299,7 @@ int ads_kdestroy(const char *cc_name) + } + + if ((code = krb5_cc_destroy (ctx, cc))) { +- DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n", ++ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n", + error_message(code))); + } + +@@ -348,10 +348,10 @@ int kerberos_kinit_password(const char *principal, + int time_offset, + const char *cache_name) + { +- return kerberos_kinit_password_ext(principal, +- password, +- time_offset, +- 0, ++ return kerberos_kinit_password_ext(principal, ++ password, ++ time_offset, ++ 0, + 0, + cache_name, + False, +-- +2.35.1 + + +From 85f140daa2779dec38255a997ec77540365959ca Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 12:04:34 +0100 +Subject: [PATCH 3/9] s3:libads: Leave early on error in get_kdc_ip_string() + +This avoids useless allocations. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 60fe03fd5d7..1bf149ef09b 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -434,9 +434,14 @@ static char *get_kdc_ip_string(char *mem_ctx, + struct netlogon_samlogon_response **responses = NULL; + NTSTATUS status; + bool ok; +- char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "", +- print_canonical_sockaddr_with_port(mem_ctx, pss)); ++ char *kdc_str = NULL; + ++ SMB_ASSERT(pss != NULL); ++ ++ kdc_str = talloc_asprintf(mem_ctx, ++ "\t\tkdc = %s\n", ++ print_canonical_sockaddr_with_port(mem_ctx, ++ pss)); + if (kdc_str == NULL) { + TALLOC_FREE(frame); + return NULL; +@@ -516,15 +521,15 @@ static char *get_kdc_ip_string(char *mem_ctx, + } + } + +- dc_addrs2 = talloc_zero_array(talloc_tos(), +- struct tsocket_address *, +- num_dcs); +- + DBG_DEBUG("%zu additional KDCs to test\n", num_dcs); + if (num_dcs == 0) { + TALLOC_FREE(kdc_str); + goto out; + } ++ ++ dc_addrs2 = talloc_zero_array(talloc_tos(), ++ struct tsocket_address *, ++ num_dcs); + if (dc_addrs2 == NULL) { + TALLOC_FREE(kdc_str); + goto out; +-- +2.35.1 + + +From 010cb49995f00b6bb5058b8b1a69e684c0bb1050 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 12:10:47 +0100 +Subject: [PATCH 4/9] s3:libads: Improve debug messages for get_kdc_ip_string() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 1bf149ef09b..6a46d72a156 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -590,7 +590,11 @@ static char *get_kdc_ip_string(char *mem_ctx, + + result = kdc_str; + out: +- DBG_DEBUG("Returning\n%s\n", kdc_str); ++ if (result != NULL) { ++ DBG_DEBUG("Returning\n%s\n", kdc_str); ++ } else { ++ DBG_NOTICE("Failed to get KDC ip address\n"); ++ } + + TALLOC_FREE(ip_sa_site); + TALLOC_FREE(ip_sa_nonsite); +-- +2.35.1 + + +From c0640d8ea59ef57a1d61151f790431bcf7fddeba Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 12:48:23 +0100 +Subject: [PATCH 5/9] s3:libads: Use talloc_asprintf_append() in + get_kdc_ip_string() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 6a46d72a156..d1c410ffa4b 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -578,10 +578,11 @@ static char *get_kdc_ip_string(char *mem_ctx, + } + + /* Append to the string - inefficient but not done often. */ +- new_kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", +- kdc_str, +- print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i])); +- TALLOC_FREE(kdc_str); ++ new_kdc_str = talloc_asprintf_append( ++ kdc_str, ++ "\t\tkdc = %s\n", ++ print_canonical_sockaddr_with_port( ++ mem_ctx, &dc_addrs[i])); + if (new_kdc_str == NULL) { + goto out; + } +-- +2.35.1 + + +From b8e73356ff44f0717ed413a4e8af51f043434a7f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 12:56:58 +0100 +Subject: [PATCH 6/9] s3:libads: Allocate all memory on the talloc stackframe + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index d1c410ffa4b..aadc65a3edc 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -438,7 +438,7 @@ static char *get_kdc_ip_string(char *mem_ctx, + + SMB_ASSERT(pss != NULL); + +- kdc_str = talloc_asprintf(mem_ctx, ++ kdc_str = talloc_asprintf(frame, + "\t\tkdc = %s\n", + print_canonical_sockaddr_with_port(mem_ctx, + pss)); +@@ -459,7 +459,7 @@ static char *get_kdc_ip_string(char *mem_ctx, + */ + + if (sitename) { +- status = get_kdc_list(talloc_tos(), ++ status = get_kdc_list(frame, + realm, + sitename, + &ip_sa_site, +@@ -477,7 +477,7 @@ static char *get_kdc_ip_string(char *mem_ctx, + + /* Get all KDC's. */ + +- status = get_kdc_list(talloc_tos(), ++ status = get_kdc_list(frame, + realm, + NULL, + &ip_sa_nonsite, +@@ -589,7 +589,7 @@ static char *get_kdc_ip_string(char *mem_ctx, + kdc_str = new_kdc_str; + } + +- result = kdc_str; ++ result = talloc_move(mem_ctx, &kdc_str); + out: + if (result != NULL) { + DBG_DEBUG("Returning\n%s\n", kdc_str); +@@ -597,8 +597,6 @@ out: + DBG_NOTICE("Failed to get KDC ip address\n"); + } + +- TALLOC_FREE(ip_sa_site); +- TALLOC_FREE(ip_sa_nonsite); + TALLOC_FREE(frame); + return result; + } +-- +2.35.1 + + +From e2ea1de6128195af937474b41a57756013c8249e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 12:57:18 +0100 +Subject: [PATCH 7/9] s3:libads: Remove obsolete free's of kdc_str + +This is allocated on the stackframe now! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index aadc65a3edc..2087dc1e6f9 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -443,13 +443,11 @@ static char *get_kdc_ip_string(char *mem_ctx, + print_canonical_sockaddr_with_port(mem_ctx, + pss)); + if (kdc_str == NULL) { +- TALLOC_FREE(frame); +- return NULL; ++ goto out; + } + + ok = sockaddr_storage_to_samba_sockaddr(&sa, pss); + if (!ok) { +- TALLOC_FREE(kdc_str); + goto out; + } + +@@ -467,7 +465,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("get_kdc_list fail %s\n", + nt_errstr(status)); +- TALLOC_FREE(kdc_str); + goto out; + } + DBG_DEBUG("got %zu addresses from site %s search\n", +@@ -485,7 +482,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("get_kdc_list (site-less) fail %s\n", + nt_errstr(status)); +- TALLOC_FREE(kdc_str); + goto out; + } + DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite); +@@ -493,7 +489,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + if (count_site + count_nonsite < count_site) { + /* Wrap check. */ + DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n"); +- TALLOC_FREE(kdc_str); + goto out; + } + +@@ -501,7 +496,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage, + count_site + count_nonsite); + if (dc_addrs == NULL) { +- TALLOC_FREE(kdc_str); + goto out; + } + +@@ -523,7 +517,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + + DBG_DEBUG("%zu additional KDCs to test\n", num_dcs); + if (num_dcs == 0) { +- TALLOC_FREE(kdc_str); + goto out; + } + +@@ -531,7 +524,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + struct tsocket_address *, + num_dcs); + if (dc_addrs2 == NULL) { +- TALLOC_FREE(kdc_str); + goto out; + } + +@@ -548,7 +540,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + status = map_nt_error_from_unix(errno); + DEBUG(2,("Failed to create tsocket_address for %s - %s\n", + addr, nt_errstr(status))); +- TALLOC_FREE(kdc_str); + goto out; + } + } +@@ -566,7 +557,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: " + "%s\n", nt_errstr(status))); +- TALLOC_FREE(kdc_str); + goto out; + } + +-- +2.35.1 + + +From 8242cb20ed3149acb83a140c140bdbb90de58b65 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 13:02:05 +0100 +Subject: [PATCH 8/9] s3:libads: Check print_canonical_sockaddr_with_port() for + NULL in get_kdc_ip_string() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 2087dc1e6f9..20dceeefb22 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -435,13 +435,18 @@ static char *get_kdc_ip_string(char *mem_ctx, + NTSTATUS status; + bool ok; + char *kdc_str = NULL; ++ char *canon_sockaddr = NULL; + + SMB_ASSERT(pss != NULL); + ++ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss); ++ if (canon_sockaddr == NULL) { ++ goto out; ++ } ++ + kdc_str = talloc_asprintf(frame, + "\t\tkdc = %s\n", +- print_canonical_sockaddr_with_port(mem_ctx, +- pss)); ++ canon_sockaddr); + if (kdc_str == NULL) { + goto out; + } +-- +2.35.1 + + +From fbd0843fdd257bc0e4ebef53c7afa29f171e86e5 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 13:10:06 +0100 +Subject: [PATCH 9/9] s3:libads: Fix creating local krb5.conf + +We create an KDC ip string entry directly at the beginning, use it if we +don't have any additional DCs. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 20dceeefb22..3fd86e87064 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -522,6 +522,11 @@ static char *get_kdc_ip_string(char *mem_ctx, + + DBG_DEBUG("%zu additional KDCs to test\n", num_dcs); + if (num_dcs == 0) { ++ /* ++ * We do not have additional KDCs, but we have the one passed ++ * in via `pss`. So just use that one and leave. ++ */ ++ result = talloc_move(mem_ctx, &kdc_str); + goto out; + } + +-- +2.35.1 + diff --git a/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch b/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch new file mode 100644 index 0000000..93c2caa --- /dev/null +++ b/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch @@ -0,0 +1,411 @@ +From a32bef9d1193e2bc253b7af8f4d0adb6476937f5 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 12:59:44 +0100 +Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error + path + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111) +--- + source3/libads/authdata.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c +index dd21d895fc2..c048510d480 100644 +--- a/source3/libads/authdata.c ++++ b/source3/libads/authdata.c +@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + { + krb5_error_code ret; + NTSTATUS status = NT_STATUS_INVALID_PARAMETER; +- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1; ++ DATA_BLOB tkt = data_blob_null; ++ DATA_BLOB tkt_wrapped = data_blob_null; ++ DATA_BLOB ap_rep = data_blob_null; ++ DATA_BLOB sesskey1 = data_blob_null; + const char *auth_princ = NULL; + const char *cc = "MEMORY:kerberos_return_pac"; + struct auth_session_info *session_info; +@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + ZERO_STRUCT(sesskey1); + + if (!name || !pass) { +- return NT_STATUS_INVALID_PARAMETER; ++ status = NT_STATUS_INVALID_PARAMETER; ++ goto out; + } + + if (cache_name) { +@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + + if (expire_time && renew_till_time && + (*expire_time == 0) && (*renew_till_time == 0)) { +- return NT_STATUS_INVALID_LOGON_TYPE; ++ status = NT_STATUS_INVALID_LOGON_TYPE; ++ goto out; + } + + ret = ads_krb5_cli_get_ticket(mem_ctx, +-- +2.35.1 + + +From d5a800beb60ee0b9310fa073c2e06a7dcbe65d5e Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 13:00:05 +0100 +Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug + macro + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865) +--- + lib/krb5_wrap/krb5_samba.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index fff5b4e2a22..42d4b950f80 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, + goto done; + } + +- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string)); ++ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string); + + /* FIXME: we should not fall back to defaults */ + ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache); +-- +2.35.1 + + +From 79d08465f66df67b69fdafed8eec48290acf24b9 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 14:28:28 +0100 +Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer + debug macro + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a) +--- + lib/krb5_wrap/krb5_samba.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 42d4b950f80..76c2dcd2126 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, + + ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string)); + if (ret) { +- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); ++ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' " ++ "for client '%s' and service '%s' failed: %s\n", ++ ccache_string, client_string, service_string, ++ error_message(ret)); + goto done; + } + +-- +2.35.1 + + +From 00418e5b78fa4361c0386c13374154d310426f77 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 13:08:56 +0100 +Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from + kerberos_return_pac() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f) +--- + source3/libads/authdata.c | 22 +++++++++++++++++++++- + source3/libads/kerberos_proto.h | 2 ++ + source3/utils/net_ads.c | 2 ++ + source3/winbindd/winbindd_pam.c | 2 ++ + 4 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c +index c048510d480..bf9a2335445 100644 +--- a/source3/libads/authdata.c ++++ b/source3/libads/authdata.c +@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + time_t renewable_time, + const char *impersonate_princ_s, + const char *local_service, ++ char **_canon_principal, ++ char **_canon_realm, + struct PAC_DATA_CTR **_pac_data_ctr) + { + krb5_error_code ret; +@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + struct auth4_context *auth_context; + struct loadparm_context *lp_ctx; + struct PAC_DATA_CTR *pac_data_ctr = NULL; ++ char *canon_principal = NULL; ++ char *canon_realm = NULL; + + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); +@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + goto out; + } + ++ if (_canon_principal != NULL) { ++ *_canon_principal = NULL; ++ } ++ ++ if (_canon_realm != NULL) { ++ *_canon_realm = NULL; ++ } ++ + if (cache_name) { + cc = cache_name; + } +@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + request_pac, + add_netbios_addr, + renewable_time, +- NULL, NULL, NULL, ++ tmp_ctx, ++ &canon_principal, ++ &canon_realm, + &status); + if (ret) { + DEBUG(1,("kinit failed for '%s' with: %s (%d)\n", +@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + } + + *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr); ++ if (_canon_principal != NULL) { ++ *_canon_principal = talloc_move(mem_ctx, &canon_principal); ++ } ++ if (_canon_realm != NULL) { ++ *_canon_realm = talloc_move(mem_ctx, &canon_realm); ++ } + + out: + talloc_free(tmp_ctx); +diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h +index 3d7b5bc074b..807381248c8 100644 +--- a/source3/libads/kerberos_proto.h ++++ b/source3/libads/kerberos_proto.h +@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + time_t renewable_time, + const char *impersonate_princ_s, + const char *local_service, ++ char **_canon_principal, ++ char **_canon_realm, + struct PAC_DATA_CTR **pac_data_ctr); + + /* The following definitions come from libads/krb5_setpw.c */ +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 8f993f9ba4c..c41fb0afe9c 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch + 2592000, /* one month */ + impersonate_princ_s, + local_service, ++ NULL, ++ NULL, + pac_data_ctr); + if (!NT_STATUS_IS_OK(status)) { + d_printf(_("failed to query kerberos PAC: %s\n"), +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index 7606bfb4ecd..025a5cbc111 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL, + local_service, ++ NULL, ++ NULL, + &pac_data_ctr); + if (user_ccache_file != NULL) { + gain_root_privilege(); +-- +2.35.1 + + +From d754753ab8edf6dde241d91442fe6afba8993de5 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 13:19:02 +0100 +Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache + entry + +They will be used later to refresh the tickets. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b) +--- + source3/winbindd/winbindd.h | 2 ++ + source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++- + source3/winbindd/winbindd_pam.c | 14 ++++++++++---- + source3/winbindd/winbindd_proto.h | 4 +++- + 4 files changed, 30 insertions(+), 6 deletions(-) + +diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h +index a6b2238cec1..dac4a1fa927 100644 +--- a/source3/winbindd/winbindd.h ++++ b/source3/winbindd/winbindd.h +@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY { + const char *service; + const char *username; + const char *realm; ++ const char *canon_principal; ++ const char *canon_realm; + struct WINBINDD_MEMORY_CREDS *cred_ptr; + int ref_count; + uid_t uid; +diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c +index c3077e21989..88847b1ab97 100644 +--- a/source3/winbindd/winbindd_cred_cache.c ++++ b/source3/winbindd/winbindd_cred_cache.c +@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, + time_t create_time, + time_t ticket_end, + time_t renew_until, +- bool postponed_request) ++ bool postponed_request, ++ const char *canon_principal, ++ const char *canon_realm) + { + struct WINBINDD_CCACHE_ENTRY *entry = NULL; + struct timeval t; +@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name, + goto no_mem; + } + } ++ if (canon_principal != NULL) { ++ entry->canon_principal = talloc_strdup(entry, canon_principal); ++ if (entry->canon_principal == NULL) { ++ goto no_mem; ++ } ++ } ++ if (canon_realm != NULL) { ++ entry->canon_realm = talloc_strdup(entry, canon_realm); ++ if (entry->canon_realm == NULL) { ++ goto no_mem; ++ } ++ } + + entry->ccname = talloc_strdup(entry, ccname); + if (!entry->ccname) { +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index 025a5cbc111..a24cef78440 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + const char *local_service; + uint32_t i; + struct netr_SamInfo6 *info6_copy = NULL; ++ char *canon_principal = NULL; ++ char *canon_realm = NULL; + bool ok; + + *info6 = NULL; +@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL, + local_service, +- NULL, +- NULL, ++ &canon_principal, ++ &canon_realm, + &pac_data_ctr); + if (user_ccache_file != NULL) { + gain_root_privilege(); +@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + time(NULL), + ticket_lifetime, + renewal_until, +- false); ++ false, ++ canon_principal, ++ canon_realm); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n", +@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, + time(NULL), + time(NULL) + lp_winbind_cache_time(), + time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, +- true); ++ true, ++ principal_s, ++ realm); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10,("winbindd_dual_pam_auth_cached: failed " +diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h +index c0d653a6d77..16c23f3de40 100644 +--- a/source3/winbindd/winbindd_proto.h ++++ b/source3/winbindd/winbindd_proto.h +@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, + time_t create_time, + time_t ticket_end, + time_t renew_until, +- bool postponed_request); ++ bool postponed_request, ++ const char *canon_principal, ++ const char *canon_realm); + NTSTATUS remove_ccache(const char *username); + struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username); + NTSTATUS winbindd_add_memory_creds(const char *username, +-- +2.35.1 + + +From 82452eb54758de50700776fb92b7e7af892fdaea Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 14:28:44 +0100 +Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the + credentials + +The principal name stored in the winbindd ccache entry might be an +enterprise principal name if enterprise principals are enabled. Use +the canonical name to renew the credentials. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27) +--- + source3/winbindd/winbindd_cred_cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c +index 88847b1ab97..6c65db6a73f 100644 +--- a/source3/winbindd/winbindd_cred_cache.c ++++ b/source3/winbindd/winbindd_cred_cache.c +@@ -209,7 +209,7 @@ rekinit: + set_effective_uid(entry->uid); + + ret = smb_krb5_renew_ticket(entry->ccname, +- entry->principal_name, ++ entry->canon_principal, + entry->service, + &new_start); + #if defined(DEBUG_KRB5_TKT_RENEWAL) +-- +2.35.1 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 8d088f3..ba8072a 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -132,7 +132,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 101 +%global baserelease 105 %global samba_version 4.15.5 %global talloc_version 2.3.3 @@ -209,6 +209,9 @@ Patch4: samba-disable-systemd-notifications.patch Patch5: samba-disable-ntlmssp.patch Patch6: samba-password-change-prompt.patch Patch7: samba-virus_scanner.patch +Patch8: samba-4-15-fix-autorid.patch +Patch9: samba-4-15-fix-winbind-refresh-tickets.patch +Patch10: samba-4-15-fix-create-local-krb5-conf.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -4107,6 +4110,19 @@ fi %endif %changelog +* Fri Mar 18 2022 Andreas Schneider - 4.15.5-105 +- resolves: rhbz#2064765 - Fix 'create krb5 conf = yes` when a KDC has a single + IP address. + +* Thu Feb 24 2022 Andreas Schneider - 4.15.5-104 +- resolves: rhbz#2057500 - Fix winbind kerberos ticket refresh + +* Mon Feb 21 2022 Andreas Schneider - 4.15.5-103 +- related: rhbz#2044231 - Fix typo in testparm output + +* Thu Feb 17 2022 Andreas Schneider - 4.15.5-102 +- resolves: rhbz#2044231 - Improve idmap autorid sanity checks and documentation + * Mon Feb 14 2022 Pavel Filipenský - 4.15.5-101 - resolves: #2050111 - [RFE] Change change password change prompt phrasing - resolves: #2054110 - virusfilter_vfs_openat: Not scanned: Directory or special file